#AnalyticsXC o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
How to Tune Your Cybersecurity RADAR2 With Security Analytics
Mark DobeckProfessorCleveland State University
Stu BradleyVice President, Cybersecurity SolutionsSAS
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
200% Increase
in Cost
59% Detected by
3rd Party
$450B Lost
$154 per Record
80.5 Days
Billions of Events
$170B Annual
Spend
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Security Analytics: The Buzz Is Not Enough
Rules/Thresholds
B e h a v i o r a l A n a l y t i c s
Data Visualization
Security Analytics
In-Stream
Machine Learning
Statistical Modeling
In-Memory A n omalous B e havio r
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Analytic Maturity Curve
Search, Query & Response
Predictive Analytics
Behavioral Anomalies
Rules & Signatures
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
What’s Being Overlooked?
Value of Results
Data TimeAnalytic
Approach
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
There is Hope for Security Analytics
• Can provide network visibility
• You should understand impact of scale
• You should investigate data, timing & analytic approaches used
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Cybersecurity Is Strategic Long-term & operational considerations
Expand & elevate CISO/CDO role
Cybersecurity must be adaptive
Technology trends
Artificial intelligence
Machine learning
Behavioral analytics
Predictive analytics
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
RADAR2 Methodology for Cybersecurity
Readiness1
Awareness2
Detection3
Action4
Remediation5
Recovery6
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Readiness Enterprise cybersecurity risk management plan
Planning & preparation
Formal policies & procedures
Documentation
Implementation
Cybersecurity Readiness Team
Testing
Monitoring
1
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Data Governance Compliance
Legal obligations
Regulatory requirements
Fiduciary responsibility
Data is an asset class
1
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Threat Intelligence Internal analysis
External information ISAC (Information Sharing & Analysis Center)
External feeds
Threat intelligence must be: Accessible Intelligible Timely Actionable
Reliable Relevant
1
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Awareness Analytics/cybersecurity culture
Mandatory education & training
Change management plan
Commitment
Communication
2
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Detection Threat recognition & forecasting
Predictive analytic tools
Behavioral analytic tools
Anomalies/suspicious activity
Rapid Response Team notification
3
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Machine Learning Artificial intelligence
Data-intensive
Autonomous learning
Structured & unstructured data
Supervised & unsupervised learning
Automation
3
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Behavioral Analysis Email
Social media
Unauthorized access
Pattern & trend recognition
Anomaly detection
Data leaks
3
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Predictive Analytics Data-driven
Near real-time
Machine learning
Multiple information sources
Internal & external
Improves response capabilities
3
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Action Rapid Response Team assessment
Corrective action determination & damage control
Legal evaluation & review
Initial communications (internal & external)
Investigation (internal & external)
Law enforcement
4
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Remediation Correct problems & issues
Formal enterprise security audit
Update/upgrade vulnerability detection & response technology
5
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Recovery Conduct formal post-mortem (lessons learned)
Revise cybersecurity policies & procedures
Change implementation & testing
Accurate & timely communications
Normal operations
6
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Summary Cybersecurity is strategic
RADAR2 is an ongoing process
Awareness, communication & coordination are key to an effective cybersecurity culture
Security analytics enables data-driven decision-making throughout the cycle
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Q & A
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
Speakers:
Stu Bradley
VP, Cybersecurity Solutions
SAS
Mark Dobeck, Ph.D.
Cleveland State University
Visit the Innovation Hub to learn about SAS & security analytics
Research briefs on the RADAR2 method available at iianalytics.com
C o p y r ig ht © 201 6, SAS In st i tute In c. A l l r ig hts r ese rve d.
#AnalyticsX